Peers behind a firewall #5241
Peers behind a firewall #5241
Conversation
the-headless-ghost
added
connection-manager
the-headless-ghost
force-pushed
the
edgr/behind-firewall
branch
from
6fb89b7 to
fd67e72
Compare
the-headless-ghost
force-pushed
the
edgr/behind-firewall
branch
from
fd67e72 to
c2e3eec
Compare
ouroboros-network/lib/Ouroboros/Network/PeerSelection/Governor/EstablishedPeers.hs
Outdated
Show resolved
Hide resolved
ouroboros-network/lib/Ouroboros/Network/PeerSelection/Governor/EstablishedPeers.hs
Outdated
Show resolved
Hide resolved
| -- ^ True if peer is not behind a firewall | ||
| <$> readLocalRootPeers | ||
|
|
||
| peerconn <- establishPeerConnection isBigLedgerPeer diffusionMode peeraddr connectionMode |
There was a problem hiding this comment.
rename connectionMode to provenance.
| -> DiffusionMode | ||
| -> peeraddr -> m peerconn, | ||
| -> peeraddr | ||
| -> ConnectionMode |
There was a problem hiding this comment.
Use Provenance here instead.
| when (inboundRequired connectionMode) $ | ||
| throwIO (withCallStack $ InboundConnectionNotFound peerAddr) | ||
|
|
There was a problem hiding this comment.
The damage is done by the time you do this check. A few lines above in the Nothing case we have updated the stateVar by inserting this outbound connection into the CM's connection table.
| localRootsToRelayAccessPoint | ||
| :: LocalRoots | ||
| -> [(RelayAccessPoint, PeerAdvertise, Bool)] | ||
| localRootsToRelayAccessPoint LocalRoots {rootConfig, behindFirewall} = | ||
| (\(accessPoint, advertise) -> (accessPoint, advertise, behindFirewall)) | ||
| <$> rootConfigToRelayAccessPoint rootConfig |
There was a problem hiding this comment.
I don't think it's needed.
| extraLocalRootFlags :: !extraFlags | ||
| peerAdvertise :: !PeerAdvertise, | ||
| diffusionMode :: !DiffusionMode, | ||
| localRootBehindFirewall :: !Bool, |
There was a problem hiding this comment.
Change this type to Provenance?
There was a problem hiding this comment.
This will also avoid boolean blindness 😄, but it still should be a Boolean value in json.
| IsTrustable -> not | ||
| . null | ||
| . rootAccessPoints | ||
| . rootConfig |
There was a problem hiding this comment.
I don't think it's needed - see my other comments.
|
|
||
| type AcquireOutboundConnection peerAddr handle handleError m | ||
| = DiffusionMode -> peerAddr -> m (Connected peerAddr handle handleError) | ||
| = DiffusionMode -> peerAddr -> ConnectionMode -> m (Connected peerAddr handle handleError) |
There was a problem hiding this comment.
s/ConnectionMode/Provenance/
| -- | ||
| | InboundConnectionNotFound !peerAddr !CallStack |
There was a problem hiding this comment.
This can be a typical case where an inbound is not found for behind firewall peers. Maybe instead create the opposite trace where we inform that we are establishing a connection back to a peer of 'inbound' provenance?
|
@crocodile-dentist I’m not sure the |
|
What I had in mind was a little overloading of the meaning of provenance. So |
the-headless-ghost
force-pushed
the
edgr/behind-firewall
branch
from
439845e to
405b005
Compare
coot
left a comment
coot
left a comment
There was a problem hiding this comment.
I agree with @crocodile-dentist that we could use Provenance instead of ConnectionMode. But it would be good to ask @karknu if he agrees with the terminology, since it might be a bit surprising for an SPO.
A few other comments & suggestions follow.
| inboundRequired :: ConnectionMode -> Bool | ||
| inboundRequired RequireInbound = True | ||
| inboundRequired _other = False |
There was a problem hiding this comment.
This function is unnecessary indirection, we can directly pattern match on the constructors.
| return ( Just (Right (TrInboundConnectionNotFound connectionMode peerAddr)) | ||
| , mutableConnState | ||
| , Left (withCallStack | ||
| (InboundConnectionNotFound connectionMode peerAddr)) | ||
| ) |
There was a problem hiding this comment.
code style:
| return ( Just (Right (TrInboundConnectionNotFound connectionMode peerAddr)) | |
| , mutableConnState | |
| , Left (withCallStack | |
| (InboundConnectionNotFound connectionMode peerAddr)) | |
| ) | |
| return ( Just (Right (TrInboundConnectionNotFound connectionMode peerAddr)) | |
| , mutableConnState | |
| , Left (withCallStack | |
| (InboundConnectionNotFound connectionMode peerAddr)) | |
| ) |
| if inboundRequired connectionMode | ||
| then do | ||
| return ( Just (Right (TrInboundConnectionNotFound connectionMode peerAddr)) | ||
| , mutableConnState |
There was a problem hiding this comment.
There's not point in returning mutableConnState (this branch of if should not executed newMutableConnState as it must not be used, which requries a bit more refactoring.
| , Left (withCallStack | ||
| (InboundConnectionNotFound connectionMode peerAddr)) |
There was a problem hiding this comment.
I was trying to find out if throwing an exception in this case is right or should we return an explicit value. After a deliberation, I think it's fine to do so (and thus throw an exception). The outbound governor is not supposed to call establishPeerConnection unless there already is an inbound connection for such a peer. So if we find InboundConnectionNotFound in the logs, it's actually a signal for us to debug it.
There was a problem hiding this comment.
There could be a race condition here, but maybe throwing an exception is still a convenient way of dealing with it anyway.
| extraLocalRootFlags :: !extraFlags | ||
| peerAdvertise :: !PeerAdvertise, | ||
| diffusionMode :: !DiffusionMode, | ||
| localRootBehindFirewall :: !Bool, |
There was a problem hiding this comment.
This will also avoid boolean blindness 😄, but it still should be a Boolean value in json.
| -- Note: Some peers may be behind a firewall. Local root peers marked as | ||
| -- behind a firewall are not excluded from this list. | ||
| -- |
| isUnreachablePeer (LocalRootConfig {localRootBehindFirewall}) = | ||
| localRootBehindFirewall | ||
| unreachablePeers = | ||
| Map.keysSet | ||
| $ Map.filter isUnreachablePeer | ||
| $ LocalRootPeers.toMap local |
There was a problem hiding this comment.
| isUnreachablePeer (LocalRootConfig {localRootBehindFirewall}) = | |
| localRootBehindFirewall | |
| unreachablePeers = | |
| Map.keysSet | |
| $ Map.filter isUnreachablePeer | |
| $ LocalRootPeers.toMap local | |
| unreachablePeers = | |
| Map.keysSet | |
| $ Map.filter localRootBehindFirewall | |
| $ LocalRootPeers.toMap local |
| ((,,) <$> govLocalRootPeersSig | ||
| <*> govUnreachablePeersSig | ||
| <*> govInboundConnectionsSig) |
There was a problem hiding this comment.
code style
| ((,,) <$> govLocalRootPeersSig | |
| <*> govUnreachablePeersSig | |
| <*> govInboundConnectionsSig) | |
| ((,,) <$> govLocalRootPeersSig | |
| <*> govUnreachablePeersSig | |
| <*> govInboundConnectionsSig) |
| govInboundConnectionsSig :: Signal (Set NtNAddr) | ||
| govInboundConnectionsSig = |
There was a problem hiding this comment.
| govInboundConnectionsSig :: Signal (Set NtNAddr) | |
| govInboundConnectionsSig = | |
| -- all connections which triggered `TrConnectionNotFound Inbound` | |
| govNotFoundInboundConnSig :: Signal (Set NtNAddr) | |
| govNotFoundInboundConnSig = |
| <$> (RootConfig | ||
| <$> o .: "accessPoints" | ||
| <*> o .:? "advertise" .!= DoNotAdvertisePeer) |
There was a problem hiding this comment.
Don't we have a FromJSON instance for RootConfig that can be used here?
I agree with @crocodile-dentist . |
Description
Closes #4381
Checklist
Quality
Maintenance
ouroboros-networkproject.